I am developing a web site which I need to use Client Side Authentication by way of certificates to validate registered users of the site. I was just wondering if anyone is doing this, and if so how have they deployed the certificates to the clients? I was thinking of secure e-mail for the certificate, and then sending the password to the certificate via secure text message. If I implement that approach I will have to generate the certificates on the fly as it were -> PHP calls shell script containing openssl commands. I think there are probably security implications to that approach, as you are blindly signing certificates. I can't think of any other way to do it. If I was to generate the certs "offline" as it were, I think that might render the whole thing unusable, and I would have to be available 24/7 to generate the certificates.

Any ideas greatly appreciated?

/jlar

malfist

08-05-2008, 02:35 PM

What are you talking about, do you mean something to say, this user is real other than a login?

eeijlar

08-05-2008, 02:45 PM

Ok, so when the user enters their user name and password then then the site will ask them to supply a certificate to validate their identity. If they don't have a certificate then no dice. It ties the user to the machine, and ensures that no one can log on with that user name and password even if they get hold of it somehow. User name and password is fine, but certificates offer a higher level of authentication. It ensures that you are who you say you are. In Firefox the certificate would be found in: Tools -> Options -> Advanced -> Encryption -> View Certificates -> Your Certificates. All users of the site would have to have a certificate supplied by the web site stored here. It is similar to what banks use to authenticate clients on online banking web sites.

malfist

08-05-2008, 02:47 PM

I don't think there is anything on the client side for that, minus Active-X and you don't want to do that. You could compare IP addresses, but that's a no for those who don't have a static ip (dial-up, some forms of ADSL/DSL).

Perhaps you should check this out:
Wish it were two (http://thedailywtf.com/Articles/Wi****Was-TwoFactor-.aspx)

forum filter software is crappy: here's the link broken up so you can actually see it:
http://thedailywtf.com/Articles/Wish
ItWas-TwoFactor-.aspx

djm0219

08-05-2008, 03:05 PM

It is similar to what banks use to authenticate clients on online banking web sites.

I've never seen a bank use a client certificate for authentication. What you describe is, essentially, a public key infrastructure (PKI) and it is not a road you want to travel.

The certificates in the browser are used to establish trust for sites using SSL not for client authentication of any sort. The CA (Certificate Authority) at the root of the certificates supplied with browsers is what confirms that a site is in fact legitimate. It has nothing to do with the user behind the browser.

eeijlar

08-05-2008, 03:18 PM

Hi,

Thanks for your reply. I am not going with two-factor so!!! That's why certificates seem to be better if a little bit cumbersome.

/jlar

malfist

08-05-2008, 03:23 PM

You don't understand, Certificates are two-factor authentication. You could possibly use a cookie, but if the user has cookies turned off, or deletes them, they wouldn't be able to login again.

Honestly, I would not use a web application that forced me to use one computer and one computer only. I use anywhere for 3-5 computers a day and I need to be able to access everything from each of them. Could you explain why you think you need this type of security?

djm0219

08-05-2008, 03:28 PM

In addition to what malfist said what would compel me, as a client, to trust your certificate let alone install it? How are you going to handle the calls for help when people have no clue at all what to do with a certificate? And what is a "secure text method" that you mentioned in your first post? I don't have anything that accepts a text method and there are other people that won't too.

eeijlar

08-05-2008, 04:09 PM

I've never seen a bank use a client certificate for authentication. What you describe is, essentially, a public key infrastructure (PKI) and it is not a road you want to travel.

The certificates in the browser are used to establish trust for sites using SSL not for client authentication of any sort. The CA (Certificate Authority) at the root of the certificates supplied with browsers is what confirms that a site is in fact legitimate. It has nothing to do with the user behind the browser.

Hi Dave,

Ok, just so we are clear, this is what I am trying to implement:

Server Side Verification
When you log on to certain sites you will see a little pad lock on the right hand side of the screen. This means that the web site has been authenticated by a third party such as Veri Sign or Thawte. So basically, Veri Sign has verified that this web site is who it says it is, and not some dummy site. This bit is straight forward you just buy a cert from Thawte.

Client Side Verification
This is where the web site creates a signed certificate for the client. This is a .p12 file issued to the client, via a secure e-mail or some other method. When the client imports the certificate to their browser they will be asked for a password which was added to the cert when it was signed. When they have successfully imported the cert then they can access the web site, as it can successfully verify that they are, who they say they are.

Is this the public key infrastructure you were referring too. It doesn't seem that complicated. I have already created client certs.

djm0219

08-05-2008, 04:20 PM

Yes, that's a very simplistic view of what a PKI is. The second point that malfist raised is just one of the stumbling blocks to implementing what you want to do. The other problems you are likely to face is massive user confusion and lack of understanding/acceptance.

On your side of things managing revocation of certificates and preventing the client certificates from being "shared" are other considerations. Unless you are on an Intranet of some sort where policy may be used to try and enforce what you are trying to do I can't imagine the general public from understanding it nor using it.

I have to ask what it is that is so critical that you believe this type of authentication is required?

eeijlar

08-05-2008, 04:24 PM

In addition to what malfist said what would compel me, as a client, to trust your certificate let alone install it? How are you going to handle the calls for help when people have no clue at all what to do with a certificate? And what is a "secure text method" that you mentioned in your first post? I don't have anything that accepts a text method and there are other people that won't too.

Secure SMS message is what I meant... we call them text messages over here

djm0219

08-05-2008, 04:41 PM

You assume that everyone can receive such things (I can't).

I'm not trying to rain on your parade/idea but I worked on an PKI for a corporation with over 300,000 people on a controlled intranet and after over a year we concluded that a) it wasn't worth it in the end (mainly because of additional support costs and the cost of creating trusted certificates) and b) it would be far too confusing for the end users c) there wasn't going to be an easy way to handle revocation lists and d) having end users move to a different system, which is going to happen to everyone at some point, took us right back to problems a, b and c.

eeijlar

08-05-2008, 05:11 PM

Hi,

Thanks for all the replies. It's an online counselling application. The whole basis of the application is that all communications are secure. I am implementing it with some people who work in the mental health profession. One of the problems that they have encountered in similar efforts is being unable to identify that the person they are talking to is who they say they are. If this site had 150 clients it would be deemed very successful.

/jlar

malfist

08-05-2008, 05:47 PM

Then you should seriously look into two-factor security. Seriously, if you're in the USA, you have to deal with HIPPA laws and the only way to cover your tracks is to use two-factor security.

eeijlar

08-05-2008, 06:21 PM

Do you not think certificates offer an even higher level of security than e.g. 'What's your dog's name?', if you could find a usable way of implementing them?

I know your experience suggests that you cannot...

/jlar

malfist

08-05-2008, 07:21 PM

What is your dog's name is not two factor security. Reread that article I linked to, it's talking about the failed ways it is done, now how it should be done.

You've got to validate they are who they are. IE username/password and what's your dogs name. And that they are human, captch, e-mailed hash, PGP signature, etc.